Exemple #1
0
    def post(self, board):
        """Create a new board.

        :param board: A board within the request body.

        """
        board_dict = board.as_dict()
        user_id = request.current_user_id

        if board.creator_id and board.creator_id != user_id:
            abort(400, _("You can't select the creator of a board."))
        board_dict.update({"creator_id": user_id})
        lanes = board_dict.pop('lanes') or []
        owners = board_dict.pop('owners')
        users = board_dict.pop('users')
        if not owners:
            owners = [user_id]
        if not users:
            users = []

        # We can't set due dates when creating boards at the moment.
        if 'due_dates' in board_dict:
            del board_dict['due_dates']

        created_board = boards_api.create(board_dict)
        events_api.board_created_event(created_board.id, user_id,
                                       created_board.title,
                                       created_board.description)
        for lane in lanes:
            del lane.worklist
            boards_api.add_lane(created_board, lane.as_dict(omit_unset=True))
            events_api.board_lanes_changed_event(created_board.id,
                                                 user_id,
                                                 added=serialize_lane(lane))

        edit_permission = {
            'name': 'edit_board_%d' % created_board.id,
            'codename': 'edit_board',
            'users': owners
        }
        move_permission = {
            'name': 'move_cards_%d' % created_board.id,
            'codename': 'move_cards',
            'users': users
        }
        edit = boards_api.create_permission(created_board.id, edit_permission)
        move = boards_api.create_permission(created_board.id, move_permission)
        event_owners = [{
            id: users_api.user_get(id).full_name
        } for id in owners]
        event_users = [{id: users_api.user_get(id).full_name} for id in users]
        events_api.board_permission_created_event(created_board.id, user_id,
                                                  edit.id, edit.codename,
                                                  event_owners)
        events_api.board_permission_created_event(created_board.id, user_id,
                                                  move.id, move.codename,
                                                  event_users)

        return wmodels.Board.from_db_model(created_board)
Exemple #2
0
    def put(self, user_id, user):
        """Modify this user.

        :param user_id: Unique id to identify the user.
        :param user: A user within the request body.
        """
        current_user = users_api.user_get(request.current_user_id)

        # Only owners and superadmins are allowed to modify users.
        if request.current_user_id != user_id \
                and not current_user.is_superuser:
            abort(403, _("You are not allowed to update this user."))

        # Strip out values that you're not allowed to change.
        user_dict = user.as_dict(omit_unset=True)

        if not current_user.is_superuser:
            # Only superuser may create superusers or modify login permissions.
            if 'enable_login' in six.iterkeys(user_dict):
                del user_dict['enable_login']

            if 'is_superuser' in six.iterkeys(user_dict):
                del user_dict['is_superuser']

        updated_user = users_api.user_update(user_id, user_dict)
        return wmodels.User.from_db_model(updated_user)
Exemple #3
0
def get_all(title=None, creator_id=None, user_id=None, project_id=None,
            task_id=None, story_id=None, sort_field=None, sort_dir=None,
            **kwargs):
    if user_id is not None:
        user = users_api.user_get(user_id)
        boards = []
        for board in get_all():
            if any(permission in board.permissions
                   for permission in user.permissions):
                boards.append(board)
        return boards

    boards = api_base.entity_get_all(models.Board,
                                     title=title,
                                     creator_id=creator_id,
                                     project_id=project_id,
                                     sort_field=sort_field,
                                     sort_dir=sort_dir,
                                     **kwargs)
    if task_id:
        matching = []
        for board in boards:
            if has_card(board, 'task', task_id):
                matching.append(board)
        boards = matching

    if story_id:
        matching = []
        for board in boards:
            if has_card(board, 'story', story_id):
                matching.append(board)
        boards = matching

    return boards
Exemple #4
0
    def put(self, user_id, user):
        """Modify this user.

        :param user_id: Unique id to identify the user.
        :param user: A user within the request body.
        """
        current_user = users_api.user_get(request.current_user_id)

        # Only owners and superadmins are allowed to modify users.
        if request.current_user_id != user_id \
                and not current_user.is_superuser:
            abort(403, _("You are not allowed to update this user."))

        # Strip out values that you're not allowed to change.
        user_dict = user.as_dict(omit_unset=True)

        if not current_user.is_superuser:
            # Only superuser may create superusers or modify login permissions.
            if 'enable_login' in six.iterkeys(user_dict):
                del user_dict['enable_login']

            if 'is_superuser' in six.iterkeys(user_dict):
                del user_dict['is_superuser']

        updated_user = users_api.user_update(user_id, user_dict)
        return wmodels.User.from_db_model(updated_user)
Exemple #5
0
def team_delete_user(team_id, user_id):
    session = api_base.get_session()

    with session.begin(subtransactions=True):
        team = _entity_get(team_id, session)
        if team is None:
            raise exc.NotFound(_("Team %s not found") % team_id)

        user = users.user_get(user_id)
        if user is None:
            raise exc.NotFound(_("User %s not found") % user_id)

        if user_id not in [u.id for u in team.users]:
            raise ClientSideError(
                _("The User %(user_id)d is not in "
                  "Team %(team_id)d") % {
                      'user_id': user_id,
                      'team_id': team_id
                  })

        user_entry = [u for u in team.users if u.id == user_id][0]
        team.users.remove(user_entry)
        session.add(team)

    return team
Exemple #6
0
    def get(self, marker=None, limit=None, full_name=None,
            sort_field='id', sort_dir='asc'):
        """Page and filter the users in storyboard.

        :param marker: The resource id where the page should begin.
        :param limit: The number of users to retrieve.
        :param username: A string of characters to filter the username with.
        :param full_name: A string of characters to filter the full_name with.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Resolve the marker record.
        marker_user = users_api.user_get(marker)

        users = users_api.user_get_all(marker=marker_user, limit=limit,
                                       full_name=full_name,
                                       filter_non_public=True,
                                       sort_field=sort_field,
                                       sort_dir=sort_dir)
        user_count = users_api.user_get_count(full_name=full_name)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        response.headers['X-Total'] = str(user_count)
        if marker_user:
            response.headers['X-Marker'] = str(marker_user.id)

        return [wmodels.User.from_db_model(u) for u in users]
    def post(self, story):
        """Create a new story.

        Example::

          curl 'https://my.example.org/api/v1/stories' \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
          -H 'Content-Type: application/json;charset=UTF-8' \\
          --data-binary '{"title":"Test Story","description":"A test story."}'

        :param story: A story within the request body.
        """

        # Reject private story types while ACL is not created.
        if (story.story_type_id and
                (story.story_type_id == 3 or story.story_type_id == 4)):
            abort(400, _("Now you can't add story with type %s.") %
                  story.story_type_id)

        story_dict = story.as_dict()
        user_id = request.current_user_id

        if story.creator_id and story.creator_id != user_id:
            abort(400, _("You can't select author of story."))

        story_dict.update({"creator_id": user_id})

        if not stories_api.story_can_create_story(story.story_type_id):
            abort(400, _("Can't create story of this type."))

        if "tags" not in story_dict or not story_dict["tags"]:
            story_dict["tags"] = []

        # We can't set due dates when creating stories at the moment.
        if "due_dates" in story_dict:
            del story_dict['due_dates']

        users = None
        teams = None
        # We make sure that a user cannot remove all users and teams
        # from the permissions list for a story
        # This should be reworked so that users can be removed if there
        # are teams, and vice versa
        if "teams" in story_dict:
            teams = story_dict.pop("teams")
        if teams is None:
            teams = []
        if "users" in story_dict:
            users = story_dict.pop("users")
        if users is None or (users == [] and teams == []):
            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]

        created_story = stories_api.story_create(story_dict)
        events_api.story_created_event(created_story.id, user_id, story.title)

        if story.private:
            stories_api.create_permission(created_story, users, teams)

        return wmodels.Story.from_db_model(created_story)
Exemple #8
0
def get_permissions(worklist, user_id):
    user = users_api.user_get(user_id)
    if user is not None:
        return [
            permission.codename for permission in worklist.permissions
            if permission in user.permissions
        ]
    return []
Exemple #9
0
def get_permissions(due_date, user_id):
    user = users_api.user_get(user_id)
    if user is not None:
        return [
            permission.codename for permission in due_date.permissions
            if permission in user.permissions
        ]
    return []
Exemple #10
0
def get_permissions(board, user_id):
    user = users_api.user_get(user_id)
    if user is not None:
        return [
            permission.codename for permission in board.permissions
            if permission in user.permissions
        ]
    return []
Exemple #11
0
    def get(self,
            marker=None,
            limit=None,
            target_type=None,
            target_id=None,
            user_id=None,
            sort_field='id',
            sort_dir='asc'):
        """Retrieve a list of subscriptions for the authorized user.

        Example::

          curl https://my.example.org/api/v1/subscriptions \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :param marker: The resource id where the page should begin.
        :param limit: The number of subscriptions to retrieve.
        :param target_type: The type of resource to search by.
        :param target_id: The unique ID of the resource to search by.
        :param user_id: The unique ID of the user to search by.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if user_id != request.current_user_id \
                and not current_user.is_superuser:
            user_id = request.current_user_id

        # Resolve the marker record.
        marker_sub = subscription_api.subscription_get(marker)

        subscriptions = subscription_api.subscription_get_all(
            marker=marker_sub,
            limit=limit,
            target_type=target_type,
            target_id=target_id,
            user_id=user_id,
            sort_field=sort_field,
            sort_dir=sort_dir)
        subscription_count = subscription_api.subscription_get_count(
            target_type=target_type, target_id=target_id, user_id=user_id)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        response.headers['X-Total'] = str(subscription_count)
        if marker_sub:
            response.headers['X-Marker'] = str(marker_sub.id)

        return [Subscription.from_db_model(s) for s in subscriptions]
Exemple #12
0
    def get(self,
            marker=None,
            offset=None,
            limit=None,
            event_type=None,
            subscriber_id=None,
            sort_field='id',
            sort_dir='asc'):
        """Retrieve a list of subscriptions.

        :param marker: The resource id where the page should begin.
        :param offset: The offset to begin the page at.
        :param limit: The number of subscriptions to retrieve.
        :param event_type: The type of resource to search by.
        :param subscriber_id: The unique ID of the subscriber to search by.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Resolve the marker record.
        marker_sub = subscription_events_api.subscription_events_get(marker)
        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        if marker_sub and marker_sub.user_id != subscriber_id:
            marker_sub = None

        subscriptions = subscription_events_api.subscription_events_get_all(
            marker=marker_sub,
            offset=offset,
            limit=limit,
            subscriber_id=subscriber_id,
            event_type=event_type,
            sort_field=sort_field,
            sort_dir=sort_dir)
        subscription_count = \
            subscription_events_api.subscription_events_get_count(
                subscriber_id=subscriber_id,
                event_type=event_type)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        if offset is not None:
            response.headers['X-Offset'] = str(offset)
        response.headers['X-Total'] = str(subscription_count)
        if marker_sub:
            response.headers['X-Marker'] = str(marker_sub.id)

        return [SubscriptionEvent.from_db_model(s) for s in subscriptions]
Exemple #13
0
def create_permission(due_date_id, permission_dict, session=None):
    due_date = _due_date_get(due_date_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    due_date.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #14
0
def create_permission(due_date_id, permission_dict, session=None):
    due_date = _due_date_get(due_date_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    due_date.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #15
0
def create_permission(worklist_id, permission_dict, session=None):
    worklist = _worklist_get(worklist_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    worklist.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #16
0
def create_permission(board_id, permission_dict, session=None):
    board = _board_get(board_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    board.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #17
0
def create_permission(board_id, permission_dict, session=None):
    board = _board_get(board_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    board.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #18
0
def create_permission(worklist_id, permission_dict, session=None):
    worklist = _worklist_get(worklist_id, session=session)
    users = permission_dict.pop('users')
    permission = api_base.entity_create(
        models.Permission, permission_dict, session=session)
    worklist.permissions.append(permission)
    for user_id in users:
        user = users_api.user_get(user_id, session=session)
        user.permissions.append(permission)
    return permission
Exemple #19
0
    def put(self, team_id, user_id):
        """Add a user to a team.

        :param team_id: An ID of the team.
        :param user_id: An ID of the user.
        """

        teams_api.team_add_user(team_id, user_id)
        user = users_api.user_get(user_id)

        return wmodels.User.from_db_model(user)
Exemple #20
0
    def put(self, team_id, user_id):
        """Add a user to a team.

        :param team_id: An ID of the team.
        :param user_id: An ID of the user.
        """

        teams_api.team_add_user(team_id, user_id)
        user = users_api.user_get(user_id)

        return wmodels.User.from_db_model(user)
Exemple #21
0
def task_assignee_changed(event):
    event_info = json.loads(event.event_info)

    old_assignee_id = event_info["old_assignee_id"]
    old_assignee = users_api.user_get(old_assignee_id)
    if old_assignee:
        old_fullname = old_assignee.full_name
    else:
        old_fullname = "unassigned"
    event_info["old_assignee_fullname"] = old_fullname

    new_assignee_id = event_info["new_assignee_id"]
    new_assignee = users_api.user_get(new_assignee_id)
    if new_assignee:
        new_fullname = new_assignee.full_name
    else:
        new_fullname = "unassigned"
    event_info["new_assignee_fullname"] = new_fullname

    event.event_info = json.dumps(event_info)
    return event
    def get(self, marker=None, limit=None, target_type=None, target_id=None,
            user_id=None, sort_field='id', sort_dir='asc'):
        """Retrieve a list of subscriptions for the authorized user.

        Example::

          curl https://my.example.org/api/v1/subscriptions \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :param marker: The resource id where the page should begin.
        :param limit: The number of subscriptions to retrieve.
        :param target_type: The type of resource to search by.
        :param target_id: The unique ID of the resource to search by.
        :param user_id: The unique ID of the user to search by.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if user_id != request.current_user_id \
                and not current_user.is_superuser:
            user_id = request.current_user_id

        # Resolve the marker record.
        marker_sub = subscription_api.subscription_get(marker)

        subscriptions = subscription_api.subscription_get_all(
            marker=marker_sub,
            limit=limit,
            target_type=target_type,
            target_id=target_id,
            user_id=user_id,
            sort_field=sort_field,
            sort_dir=sort_dir)
        subscription_count = subscription_api.subscription_get_count(
            target_type=target_type,
            target_id=target_id,
            user_id=user_id)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        response.headers['X-Total'] = str(subscription_count)
        if marker_sub:
            response.headers['X-Marker'] = str(marker_sub.id)

        return [Subscription.from_db_model(s) for s in subscriptions]
Exemple #23
0
    def post(self, subscription):
        """Create a new subscription.
           Note: target_id is the same value as the story_id of a story.

        Example::

           curl https://my.example.org/api/v1/subscriptions \\
           -H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
           -H 'Content-Type: application/json;charset=UTF-8' \\
           --data-binary '{"target_type":"story","target_id":8}'

        :param subscription: A subscription within the request body.
        """

        # Data sanity check - are all fields set?
        if not subscription.target_type or not subscription.target_id:
            abort(
                400,
                _('You are missing either the target_type or the'
                  ' target_id'))

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if not subscription.user_id:
            subscription.user_id = request.current_user_id
        elif subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only subscribe to resources on your own."))

        # Data sanity check: The resource must exist.
        resource = subscription_api.subscription_get_resource(
            target_type=subscription.target_type,
            target_id=subscription.target_id,
            current_user=request.current_user_id)
        if not resource:
            abort(400, _('You cannot subscribe to a nonexistent resource.'))

        # Data sanity check: The subscription cannot be duplicated for this
        # user.
        existing = subscription_api.subscription_get_all(
            target_type=[
                subscription.target_type,
            ],
            target_id=subscription.target_id,
            user_id=subscription.user_id)

        if existing:
            abort(409, _('You are already subscribed to this resource.'))

        result = subscription_api.subscription_create(subscription.as_dict())
        return Subscription.from_db_model(result)
Exemple #24
0
    def get(self, marker=None, offset=None, limit=None, full_name=None,
            email=None, openid=None, sort_field='id', sort_dir='asc'):
        """Page and filter the users in storyboard.

        Example::

          curl https://my.example.org/api/v1/users

        :param marker: The resource id where the page should begin.
        :param offset: The offset to start the page at.
        :param limit: The number of users to retrieve.
        :param full_name: A string of characters to filter the full_name with.
        :param email: A string of characters to filter the email with.
        :param openid: A string of characters to filter the openid with.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Resolve the marker record.
        marker_user = None
        if marker is not None:
            marker_user = users_api.user_get(marker)

        users = users_api.user_get_all(marker=marker_user,
                                       offset=offset,
                                       limit=limit,
                                       full_name=full_name,
                                       email=email,
                                       openid=openid,
                                       filter_non_public=True,
                                       sort_field=sort_field,
                                       sort_dir=sort_dir)
        user_count = users_api.user_get_count(full_name=full_name,
                                              email=email,
                                              openid=openid)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        response.headers['X-Total'] = str(user_count)
        if marker_user:
            response.headers['X-Marker'] = str(marker_user.id)
        if offset is not None:
            response.headers['X-Offset'] = str(offset)

        return [wmodels.User.from_db_model(u) for u in users]
Exemple #25
0
    def get_one(self, subscription_id):
        """Retrieve a specific subscription record.

        :param subscription_id: The unique id of this subscription.
        """

        subscription = subscription_api.subscription_get(subscription_id)
        current_user = user_api.user_get(request.current_user_id)

        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You do not have access to this record."))

        return Subscription.from_db_model(subscription)
Exemple #26
0
    def get_one(self, subscription_event_id):
        """Retrieve a specific subscription record.

        :param subscription_event_id: The unique id of this subscription.
        """
        subscription_event = subscription_events_api \
            .subscription_events_get(subscription_event_id)

        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscription_event.subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        return SubscriptionEvent.from_db_model(subscription_event)
Exemple #27
0
    def get_one(self, user_id):
        """Retrieve details about one user.

        :param user_id: The unique id of this user
        """

        filter_non_public = True
        if user_id == request.current_user_id:
            filter_non_public = False

        user = users_api.user_get(user_id, filter_non_public)
        if not user:
            raise exc.NotFound(_("User %s not found") % user_id)
        return user
    def delete(self, subscription_id):
        """Delete a specific subscription.

        :param subscription_id: The unique id of the subscription to delete.
        """
        subscription = subscription_api.subscription_get(subscription_id)

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only remove your own subscriptions."))

        subscription_api.subscription_delete(subscription_id)
Exemple #29
0
    def get_one(self, user_id):
        """Retrieve details about one user.

        :param user_id: The unique id of this user
        """

        filter_non_public = True
        if user_id == request.current_user_id:
            filter_non_public = False

        user = users_api.user_get(user_id, filter_non_public)
        if not user:
            raise exc.NotFound(_("User %s not found") % user_id)
        return user
Exemple #30
0
def create_permission(story, users, session=None):
    story = api_base.model_query(models.Story, session) \
        .options(subqueryload(models.Story.tags)) \
        .filter_by(id=story.id).first()
    permission_dict = {
        'name': 'view_story_%d' % story.id,
        'codename': 'view_story'
    }
    permission = api_base.entity_create(models.Permission, permission_dict)
    story.permissions.append(permission)
    for user in users:
        user = users_api.user_get(user.id)
        user.permissions.append(permission)
    return permission
Exemple #31
0
def create_permission(story, users, session=None):
    story = api_base.model_query(models.Story, session) \
        .options(subqueryload(models.Story.tags)) \
        .filter_by(id=story.id).first()
    permission_dict = {
        'name': 'view_story_%d' % story.id,
        'codename': 'view_story'
    }
    permission = api_base.entity_create(models.Permission, permission_dict)
    story.permissions.append(permission)
    for user in users:
        user = users_api.user_get(user.id)
        user.permissions.append(permission)
    return permission
    def get_one(self, subscription_id):
        """Retrieve a specific subscription record.

        :param subscription_id: The unique id of this subscription.
        """

        subscription = subscription_api.subscription_get(subscription_id)
        current_user = user_api.user_get(request.current_user_id)

        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You do not have access to this record."))

        return Subscription.from_db_model(subscription)
Exemple #33
0
    def delete(self, subscription_id):
        """Delete a specific subscription.

        :param subscription_id: The unique id of the subscription to delete.
        """
        subscription = subscription_api.subscription_get(subscription_id)

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only remove your own subscriptions."))

        subscription_api.subscription_delete(subscription_id)
    def get(self, marker=None, offset=None, limit=None, event_type=None,
            subscriber_id=None, sort_field='id', sort_dir='asc'):
        """Retrieve a list of subscriptions.

        :param marker: The resource id where the page should begin.
        :param offset: The offset to begin the page at.
        :param limit: The number of subscriptions to retrieve.
        :param event_type: The type of resource to search by.
        :param subscriber_id: The unique ID of the subscriber to search by.
        :param sort_field: The name of the field to sort on.
        :param sort_dir: Sort direction for results (asc, desc).
        """

        # Boundary check on limit.
        if limit is not None:
            limit = max(0, limit)

        # Resolve the marker record.
        marker_sub = subscription_events_api.subscription_events_get(marker)
        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        if marker_sub and marker_sub.user_id != subscriber_id:
            marker_sub = None

        subscriptions = subscription_events_api.subscription_events_get_all(
            marker=marker_sub,
            offset=offset,
            limit=limit,
            subscriber_id=subscriber_id,
            event_type=event_type,
            sort_field=sort_field,
            sort_dir=sort_dir)
        subscription_count = \
            subscription_events_api.subscription_events_get_count(
                subscriber_id=subscriber_id,
                event_type=event_type)

        # Apply the query response headers.
        if limit:
            response.headers['X-Limit'] = str(limit)
        if offset is not None:
            response.headers['X-Offset'] = str(offset)
        response.headers['X-Total'] = str(subscription_count)
        if marker_sub:
            response.headers['X-Marker'] = str(marker_sub.id)

        return [SubscriptionEvent.from_db_model(s) for s in subscriptions]
    def get_one(self, subscription_event_id):
        """Retrieve a specific subscription record.

        :param subscription_event_id: The unique id of this subscription.
        """
        subscription_event = subscription_events_api \
            .subscription_events_get(subscription_event_id)

        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscription_event.subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        return SubscriptionEvent.from_db_model(subscription_event)
Exemple #36
0
def update_permission(story, users, session=None):
    story = api_base.model_query(models.Story, session) \
        .options(subqueryload(models.Story.tags)) \
        .filter_by(id=story.id).first()
    if not story.permissions:
        raise exc.NotFound(_("Permissions for story %d not found.") % story.id)
    permission = story.permissions[0]
    permission_dict = {
        'name': permission.name,
        'codename': permission.codename,
        'users': [users_api.user_get(user.id) for user in users]
    }

    return api_base.entity_update(models.Permission, permission.id,
                                  permission_dict)
Exemple #37
0
    def put(self, team_id, user_id):
        """Add a user to a team.

        Example::

          TODO

        :param team_id: An ID of the team.
        :param user_id: An ID of the user.
        """

        teams_api.team_add_user(team_id, user_id)
        user = users_api.user_get(user_id)
        user = api_base._filter_non_public_fields(user, user._public_fields)

        return wmodels.User.from_db_model(user)
    def delete(self, subscription_event_id):
        """Delete a specific subscription.

        :param subscription_event_id: The unique id of the
                                      subscription_event to delete.
        """
        subscription_event = subscription_events_api \
            .subscription_events_get(subscription_event_id)

        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscription_event.subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        subscription_events_api.subscription_events_delete(
            subscription_event_id)
Exemple #39
0
def update_permission(due_date_id, permission_dict):
    due_date = _due_date_get(due_date_id)
    id = None
    for permission in due_date.permissions:
        if permission.codename == permission_dict['codename']:
            id = permission.id
    users = permission_dict.pop('users')
    permission_dict['users'] = []
    for user_id in users:
        user = users_api.user_get(user_id)
        permission_dict['users'].append(user)

    if id is None:
        raise ClientSideError(_("Permission %s does not exist")
                              % permission_dict['codename'])
    return api_base.entity_update(models.Permission, id, permission_dict)
Exemple #40
0
def update_permission(due_date_id, permission_dict):
    due_date = _due_date_get(due_date_id)
    id = None
    for permission in due_date.permissions:
        if permission.codename == permission_dict['codename']:
            id = permission.id
    users = permission_dict.pop('users')
    permission_dict['users'] = []
    for user_id in users:
        user = users_api.user_get(user_id)
        permission_dict['users'].append(user)

    if id is None:
        raise ClientSideError(_("Permission %s does not exist")
                              % permission_dict['codename'])
    return api_base.entity_update(models.Permission, id, permission_dict)
Exemple #41
0
    def delete(self, subscription_event_id):
        """Delete a specific subscription.

        :param subscription_event_id: The unique id of the
                                      subscription_event to delete.
        """
        subscription_event = subscription_events_api \
            .subscription_events_get(subscription_event_id)

        current_user = user_api.user_get(request.current_user_id)
        if current_user.id != subscription_event.subscriber_id and \
                not current_user.is_superuser:
            abort(403, _("Permission Denied"))

        subscription_events_api.subscription_events_delete(
            subscription_event_id)
Exemple #42
0
    def put(self, team_id, user_id):
        """Add a user to a team.

        Example::

          TODO

        :param team_id: An ID of the team.
        :param user_id: An ID of the user.
        """

        teams_api.team_add_user(team_id, user_id)
        user = users_api.user_get(user_id)
        user = api_base._filter_non_public_fields(user, user._public_fields)

        return wmodels.User.from_db_model(user)
    def post(self, subscription):
        """Create a new subscription.
           Note: target_id is the same value as the story_id of a story.

        Example::

           curl https://my.example.org/api/v1/subscriptions \\
           -H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
           -H 'Content-Type: application/json;charset=UTF-8' \\
           --data-binary '{"target_type":"story","target_id":8}'

        :param subscription: A subscription within the request body.
        """

        # Data sanity check - are all fields set?
        if not subscription.target_type or not subscription.target_id:
            abort(400, _('You are missing either the target_type or the'
                         ' target_id'))

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if not subscription.user_id:
            subscription.user_id = request.current_user_id
        elif subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only subscribe to resources on your own."))

        # Data sanity check: The resource must exist.
        resource = subscription_api.subscription_get_resource(
            target_type=subscription.target_type,
            target_id=subscription.target_id,
            current_user=request.current_user_id)
        if not resource:
            abort(400, _('You cannot subscribe to a nonexistent resource.'))

        # Data sanity check: The subscription cannot be duplicated for this
        # user.
        existing = subscription_api.subscription_get_all(
            target_type=[subscription.target_type, ],
            target_id=subscription.target_id,
            user_id=subscription.user_id)

        if existing:
            abort(409, _('You are already subscribed to this resource.'))

        result = subscription_api.subscription_create(subscription.as_dict())
        return Subscription.from_db_model(result)
def superuser():
    token = _get_token()

    if not token:
        return False

    token = token_api.access_token_get_by_token(token)

    if not token:
        return False

    user = user_api.user_get(token.user_id)

    if not user.is_superuser:
        abort(403, _("This action is limited to superusers only."))

    return user.is_superuser
Exemple #45
0
    def self(self):
        """Return the currently logged in user

        Example::

          curl https://my.example.org/api/v1/users/self \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :return: The User record for the current user.
        """
        user = users_api.user_get(request.current_user_id,
                                  filter_non_public=False)

        if not user:
            raise exc.NotFound(_("User %s not found") %
                               request.current_user_id)
        return user
Exemple #46
0
def update_permission(story, users, session=None):
    story = api_base.model_query(models.Story, session) \
        .options(subqueryload(models.Story.tags)) \
        .filter_by(id=story.id).first()
    if not story.permissions:
        raise exc.NotFound(_("Permissions for story %d not found.")
                           % story.id)
    permission = story.permissions[0]
    permission_dict = {
        'name': permission.name,
        'codename': permission.codename,
        'users': [users_api.user_get(user.id) for user in users]
    }

    return api_base.entity_update(models.Permission,
                                  permission.id,
                                  permission_dict)
Exemple #47
0
    def post(self, story):
        """Create a new story.

        :param story: A story within the request body.
        """

        # Reject private story types while ACL is not created.
        if (story.story_type_id
                and (story.story_type_id == 3 or story.story_type_id == 4)):
            abort(
                400,
                _("Now you can't add story with type %s.") %
                story.story_type_id)

        story_dict = story.as_dict()
        user_id = request.current_user_id

        if story.creator_id and story.creator_id != user_id:
            abort(400, _("You can't select author of story."))

        story_dict.update({"creator_id": user_id})

        if not stories_api.story_can_create_story(story.story_type_id):
            abort(400, _("Can't create story of this type."))

        if not "tags" in story_dict or not story_dict["tags"]:
            story_dict["tags"] = []

        # We can't set due dates when creating stories at the moment.
        if "due_dates" in story_dict:
            del story_dict['due_dates']

        users = []
        if "users" in story_dict:
            users = story_dict.pop("users")
        if users is None:
            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]

        created_story = stories_api.story_create(story_dict)
        events_api.story_created_event(created_story.id, user_id, story.title)

        if story.private:
            stories_api.create_permission(created_story, users)

        return wmodels.Story.from_db_model(created_story)
Exemple #48
0
    def get_one(self, subscription_id):
        """Retrieve a specific subscription record.

        Example::

          curl https://my.example.org/api/v1/subscriptions/4 \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :param subscription_id: The unique id of this subscription.
        """

        subscription = subscription_api.subscription_get(subscription_id)
        current_user = user_api.user_get(request.current_user_id)

        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You do not have access to this record."))

        return Subscription.from_db_model(subscription)
    def delete(self, subscription_id):
        """Delete a specific subscription.

        Example::

          curl https://my.example.org/api/v1/subscriptions/10 -X DELETE \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :param subscription_id: The unique id of the subscription to delete.
        """
        subscription = subscription_api.subscription_get(subscription_id)

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only remove your own subscriptions."))

        subscription_api.subscription_delete(subscription_id)
Exemple #50
0
    def _assert_can_access(self, user_id, token_entity=None):
        current_user = user_api.user_get(request.current_user_id)

        if not user_id:
            abort(400, _("user_id is missing."))

        # The user must be logged in.
        if not current_user:
            abort(401, _("You must log in to do this."))

        # If the impacted user is not the current user, the current user must
        # be an admin.
        if not current_user.is_superuser and current_user.id != user_id:
            abort(403, _("You are not admin and can't do this."))

        # The path-based impacted user and the user found in the entity must
        # be identical. No PUT /users/1/tokens { user_id: 2 }
        if token_entity and token_entity.user_id != user_id:
            abort(403, _("token_entity.user_id or user_id is wrong."))
Exemple #51
0
    def post(self, subscription):
        """Create a new subscription.

        :param subscription: A subscription within the request body.
        """

        # Data sanity check - are all fields set?
        if not subscription.target_type or not subscription.target_id:
            abort(
                400,
                _('You are missing either the target_type or the'
                  ' target_id'))

        # Sanity check on user_id
        current_user = user_api.user_get(request.current_user_id)
        if not subscription.user_id:
            subscription.user_id = request.current_user_id
        elif subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You can only subscribe to resources on your own."))

        # Data sanity check: The resource must exist.
        resource = subscription_api.subscription_get_resource(
            target_type=subscription.target_type,
            target_id=subscription.target_id,
            current_user=request.current_user_id)
        if not resource:
            abort(400, _('You cannot subscribe to a nonexistent resource.'))

        # Data sanity check: The subscription cannot be duplicated for this
        # user.
        existing = subscription_api.subscription_get_all(
            target_type=[
                subscription.target_type,
            ],
            target_id=subscription.target_id,
            user_id=subscription.user_id)

        if existing:
            abort(409, _('You are already subscribed to this resource.'))

        result = subscription_api.subscription_create(subscription.as_dict())
        return Subscription.from_db_model(result)
Exemple #52
0
    def _assert_can_access(self, user_id, token_entity=None):
        current_user = user_api.user_get(request.current_user_id)

        if not user_id:
            abort(400, _("user_id is missing."))

        # The user must be logged in.
        if not current_user:
            abort(401, _("You must log in to do this."))

        # If the impacted user is not the current user, the current user must
        # be an admin.
        if not current_user.is_superuser and current_user.id != user_id:
            abort(403, _("You are not admin and can't do this."))

        # The path-based impacted user and the user found in the entity must
        # be identical. No PUT /users/1/tokens { user_id: 2 }
        if token_entity and token_entity.user_id != user_id:
            abort(403, _("token_entity.user_id or user_id is wrong."))
Exemple #53
0
    def post(self, story):
        """Create a new story.

        :param story: A story within the request body.
        """

        # Reject private story types while ACL is not created.
        if (story.story_type_id and
                (story.story_type_id == 3 or story.story_type_id == 4)):
            abort(400, _("Now you can't add story with type %s.") %
                  story.story_type_id)

        story_dict = story.as_dict()
        user_id = request.current_user_id

        if story.creator_id and story.creator_id != user_id:
            abort(400, _("You can't select author of story."))

        story_dict.update({"creator_id": user_id})

        if not stories_api.story_can_create_story(story.story_type_id):
            abort(400, _("Can't create story of this type."))

        if not "tags" in story_dict or not story_dict["tags"]:
            story_dict["tags"] = []

        # We can't set due dates when creating stories at the moment.
        if "due_dates" in story_dict:
            del story_dict['due_dates']

        users = []
        if "users" in story_dict:
            users = story_dict.pop("users")
        if users is None:
            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]

        created_story = stories_api.story_create(story_dict)
        events_api.story_created_event(created_story.id, user_id, story.title)

        if story.private:
            stories_api.create_permission(created_story, users)

        return wmodels.Story.from_db_model(created_story)
    def get_one(self, subscription_id):
        """Retrieve a specific subscription record.

        Example::

          curl https://my.example.org/api/v1/subscriptions/4 \\
          -H 'Authorization: Bearer MY_ACCESS_TOKEN'

        :param subscription_id: The unique id of this subscription.
        """

        subscription = subscription_api.subscription_get(subscription_id)
        current_user = user_api.user_get(request.current_user_id)

        if subscription.user_id != request.current_user_id \
                and not current_user.is_superuser:
            abort(403, _("You do not have access to this record."))

        return Subscription.from_db_model(subscription)
Exemple #55
0
def team_add_user(team_id, user_id):
    session = api_base.get_session()

    with session.begin(subtransactions=True):
        team = _entity_get(team_id, session)
        if team is None:
            raise exc.NotFound(_("Team %s not found") % team_id)

        user = users.user_get(user_id)
        if user is None:
            raise exc.NotFound(_("User %s not found") % user_id)

        if user_id in [u.id for u in team.users]:
            raise ClientSideError(_("The User %(user_id)d is already "
                                    "in Team %(team_id)d") %
                                  {'user_id': user_id, 'team_id': team_id})

        team.users.append(user)
        session.add(team)

    return team
Exemple #56
0
def team_delete_user(team_id, user_id):
    session = api_base.get_session()

    with session.begin(subtransactions=True):
        team = _entity_get(team_id, session)
        if team is None:
            raise exc.NotFound(_("Team %s not found") % team_id)

        user = users.user_get(user_id)
        if user is None:
            raise exc.NotFound(_("User %s not found") % user_id)

        if user_id not in [u.id for u in team.users]:
            raise ClientSideError(_("The User %(user_id)d is not in "
                                    "Team %(team_id)d") %
                                  {'user_id': user_id, 'team_id': team_id})

        user_entry = [u for u in team.users if u.id == user_id][0]
        team.users.remove(user_entry)
        session.add(team)

    return team